On Fri, Sep 5, 2014 at 6:56 AM, Greg Wilkins <gregw@intalio.com> wrote:
>
>
> If the ciphers are inadequate for h2, then why aren't they inadequate for
> http/1, spdy and
> other protocols the ALPN might list?
>
they might well be inadequate for all those protocols, but we accept them
for the sake of backwards compatibility. (basically the same reason we
accept http:// urls at all).
h2 is an opportunity to update to current best practice. If you design a
pure h2 service you can be more confident in its security properties.